Cisco CCNA Study – Day 8

Posted on by Gregnstuff

Week 4 day 2 and a scheduled 70 minutes of videos.  I find that study of the information and the taking of notes this should take about 2 to 2.5 hours.  I have less than two weeks of study but some of those days are 150 minutes of videos in a day which could be a good 3.5 hours of study time for the way that I learn.  So let’s get started.

 

 

Section 28: ACLs – Access Control Lists

  • Identifies traffic based on packet info such as IP address (source/destination), port, protocol, etc
  • ACL work on both routers and switches
  • ACLs were originally used as a security feature to allow or deny passage through the device and by default, the device will allow traffic
  • ACLs also are used for identifying traffic for QoS (Quality of Service) and the translation of addresses in NAT (Network Address Translation) policy
  • ACLs are made up of ACEs (Access Control Entries)
  • ACL Syntax
    • Example ACE
      • access-list 100 deny tcp 10.10.30.0 0.0.0.255 gt 49151 10.10.20.1 0.0.0.0 eq 23
        • Standard vs Extended ACL
          • access-list “100″
            • Standard ACL 1-99, 1300-1999
              • Reference the source address only
            • Extended ACL Range: 100-199, 2000-2699
              • Check based on the protocol, source address, destination address and port#
        • Access statement
          • access-list 100 “deny | allow | remark”
        • Protocol
          • ahp – Authentication Header Protocol
          • eigrp – Cisco’s EIGRP routing protocol
          • esp – Encapsulation Security Payload
          • gre – Cisco’s GRE tunneling
          • icmp – Internet Control Message Protocol
          • ip – Any Internet Protocol
          • ospf – OSPF routing protocol
          • tcp – Transmission Control Protocol
          • udp – User Datagram protocol
        • Source IP address/IP address range
          • access-list 100 allow “10.10.10.0” 0.0.0.255
        • Wildcard mask
          • access-list 100 allow 10.10.10.0 “0.0.0.255”
          • The default wildcard mask is 0.0.0.0
            • If you don’t enter a wildcard mask it will attempt to use the default
          • You must enter a wildcard mask when specifying an IP subnet
            • The system will allow you to enter an IP subnet without a wildcard mask
          • If you 
        • Network Port
          • Port Deginator
            • any = Any destination host
            • eq = equal to
            • gt = greater than
            • host = A single destination host
            • lt = less than
            • neq = Match only packets not on a given port number
            • range = Match only packets in the range of port numbers
        • Destination IP address/IP address range
        • Destination Subnet Mask
          • The destination subnet mask does not have a default subnet mask so if not entered an error message will be returned.
        • Additional options
          • ack = Match on the ACK bit
          • eq = Match only packets on a given port number
          • established – Match established connections
          • fin = Match on the Fin bit
          • gt = Match only packets with a greater port number
          • log = Log matches against this entry
          • log-input = Log matches against the entry, including input interface
          • lt = Match only packets with a lower port number
          • neq = Match only packets not on a given port number
          • range = Match only packets in the range of port numbers
          • rst = Match on the RST bit
          • syn = Match on the SYN bit
          • urg = Match on the URG bit
          • Others not listed here
      • Named ACLs
        • You can refer to ACLs by number or by a name
        • named ACLs begin the command ‘ip access-list’ instead of just ‘access-list’
        • Command Example for Named ACL syntax
          • (config)#ip access-list standard [name]
          • (config-std-nacl)#deny 10.10.10.10 0.0.0.0
          • (config-std-nacl#permit 10.10.10.0 0.0.0.255
        • Verification commands
          • show access-lists [acl#]
    • ACL Operations
      • Access Groups
        • ACLs are applied at the interface level with the ‘access-group’ command
        • You can have a max of 1 ACL per interface per direction
      • Command example
        • (config)#int gigabitEthernet0/1
        • (config-if)#ip access-group 100 out
        • (config-if)#ip access-group 101 in 
      • Verification Command
        • #show ip interface [interface] | include access list
      • Access Control Entry Order
        • ACL is read by the router from top to bottom
        • When a rule is matched by the packet, the permit or deny action is applied and no more rules are evaluated.
      • Injecting ACE in an Existing ACL
        • ACEs are automatically numbered in increments of 10
        • This allows rules to be placed between pre-existing rules.
        • Command example
          • (config)#ip access-list extended 110
          • (config-ext-nacl)#[ACE#] [deny|allow] [protocol] host [sourceIP] host [destination IP] eq [port]
      • Implicit Deny All
        • If there is no ACL applied to an interface ‘any’ traffic will be able to pass.
        • If there is an ACL an implicit deny all rule is applied, so an allow rule is needed for any traffic trying to be allowed through the interface.
      • ACLs do not apply to the traffic coming from the device itself.